group.of.nepali.translators team mailing list archive

Thread
Date

[Bug 1668321] Re: Vulnerability allows read/write/exec access on Ubuntu 16.04 Screenlock as lightdm user

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1668321@xxxxxxxxxxxxxxxxxx>
Date: Wed, 08 Mar 2017 14:30:24 -0000
Reply-to: Bug 1668321 <1668321@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This bug was fixed in the package network-manager-applet -
1.4.2-1ubuntu3

---------------
network-manager-applet (1.4.2-1ubuntu3) zesty; urgency=medium

  * SECURITY UPDATE: file access from login screen (LP: #1668321)
    - debian/patches/applet-Check-the-user-has-permission-to-modify-befor.patch:
      check permissions before showing dialog in src/applet-device-wifi.c.
    - No CVE number

 -- Marc Deslauriers <marc.deslauriers@xxxxxxxxxx>  Wed, 08 Mar 2017
07:51:25 -0500

** Changed in: network-manager-applet (Ubuntu Zesty)
       Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1668321

Title:
  Vulnerability allows read/write/exec access on Ubuntu 16.04 Screenlock
  as lightdm user

Status in network-manager-applet package in Ubuntu:
  Fix Released
Status in network-manager-applet source package in Precise:
  Fix Released
Status in network-manager-applet source package in Trusty:
  Fix Released
Status in network-manager-applet source package in Xenial:
  Fix Released
Status in network-manager-applet source package in Yakkety:
  Fix Released
Status in network-manager-applet source package in Zesty:
  Fix Released

Bug description:
  Hi,

  We just found a vulnerability in lightdm who could lead us to read files with lightdm permissions, an also write in some directories. 
  We were able to download a reverse_shell payload and execute it in order to gain a reverse shell as lightdm on a remote system.

  The exploitation require a physical access to the locked computeur and
  the Wi-fi must be turned on. A access point who let you use a
  certificate to log-in is required as well but it's easy to create one.

  Then, it's possible to open a nautilus window and browse directories.
  We also can open some application such as Firefox which is useful to
  download malicious binaries :-)

  See this video for the PoC :
  https://www.youtube.com/watch?v=Fp2lwRVg0l0

  
  ---------
  Some info about the Ubuntu version I used on the video above :

  $ lsb_release -rd
  Description:	Ubuntu 16.04.2 LTS
  Release:	16.04

  
  $ apt-cache policy lightdm
  lightdm:
    Installé : 1.18.3-0ubuntu1
    Candidat : 1.18.3-0ubuntu1
   Table de version :
   *** 1.18.3-0ubuntu1 500
          500 http://fr.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages
          100 /var/lib/dpkg/status
       1.18.1-0ubuntu1 500
          500 http://fr.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
  ----------------

  I let you time for correction before publishing the discovery.

  If you have any question please let me know!

  Regards,

  Quentin Biguenet

  --
  Orange Cyber-Defense
  quentin.biguenet@xxxxxxxxxx

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/network-manager-applet/+bug/1668321/+subscriptions